Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Basel Committee on Banking Supervision Issues Consultative Document on Implications of Fintech for the Banking Industry
As waves of innovative financial technology (fintech) continue to reshape the financial services landscape, banking institutions and their supervisors have invested significant effort in analyzing its impact and developing an appropriate response. On August 31, the Basel Committee on Banking Supervision (BCBS), the primary global standard setter for the prudential regulation of banks, weighed in. Through the release of a consultative document, Sound Practices: Implications of fintech developments for banks and bank supervisors, the BCBS identified 10 key observations, accompanied by 10 recommendations, for banks and bank supervisors to address the challenges posed by advances in fintech.
The report summarizes the main findings of a BCBS task force established to analyze developments in fintech and their impact on the banking industry. Quantifying the size and growth of fintech is difficult; among other reasons, most jurisdictions have not formally defined “fintech” (notably, the report includes a glossary of terms and acronyms related to the delivery of fintech products and services, and is the first attempt by the BCBS to provide a common definition in this space). Yet the significant number of financial products and services derived from fintech innovations and the trend of rising investment in fintech companies globally warrants attention. As the BCBS acknowledges, while the impact of fintech on banking remains uncertain, “that change could be fast-paced and significant.”
In its report, the BCBS observes that the rise of fintech innovation has resulted in “a battle for the customer relationship and customer data,” the result of which “will be crucial in determining the future role of banks.” To assess the impact of the evolution of fintech products and services, the BCBS identified five stylized scenarios describing the potential impact of fintech on banks. In addition, the BCBS assessed six case studies focused on specific innovations (e.g., big data, cloud computing, innovative payment services, and neo-banks), in order to understand the individual risks and opportunities of a specific fintech development through the different scenarios. The extent to which banks or new fintech entrants will own the customer relationship varied across each scenario. However, in almost every scenario, the position of the incumbent banks will be challenged. The BCBS finds that “a common theme across the various scenarios is that banks will find it increasingly difficult to maintain their current operating models, given technological change and customer expectations.”
In analyzing fintech’s potential impact, the BCBS analyzes previous waves of innovation in banking, such as ATMs, electronic payments, and the Internet. While each of these have changed the face of banking, the BCBS highlights two key differences as it concerns fintech’s potential impact: the current pace of innovation is faster now than in previous decades and the pace of adoption has also increased. As a result, the Committee warns, “the effects of innovation and disruption can happen more quickly than before, implying that incumbents may need to adjust faster.”
The BCBS stated that banking standards and supervisory expectations “should be adaptive to new innovations, while maintaining appropriate prudential standards.” Against this backdrop, the Committee concluded its report with 10 key observations and recommendations for consideration by banks and bank supervisors.
- The overarching need to ensure safety and soundness and high compliance standards without inhibiting beneficial innovation in the banking sector;
- Key risks for banks related to fintech developments, including strategic/profitability risks, operational, cyber and compliance risks;
- Implications for banks of the use of innovative enabling technologies;
- Implications for banks of the growing use of third parties, via outsourcing and/or partnerships;
- Cross-sectoral cooperation between supervisors and other relevant authorities;
- International cooperation between banking supervisors;
- Adaptation of the supervisory skillset;
- Potential opportunities for supervisors to use innovative technologies ("suptech");
- Relevance of existing regulatory frameworks for new innovative business models; and
- Key features of regulatory initiatives set up to facilitate fintech innovation.
By issuing this guidance, BCBS is prompting global regulators to address technological advancements and novel business models with the same sense of urgency that the banking and fintech industries are employing. It will be incumbent on the financial services industry – traditional and novel business models alike – to work together to inform and shape what those supervisory guidelines will look like.
Comments on BCBS’s consultative document will be accepted through October 31, 2017.
On August 15, the FTC issued a press release announcing a settlement with a ride-sharing company over allegations that it violated the Federal Trade Commission Act by making deceptive claims about its privacy and data practices. According to the complaint, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. Both counts, the FTC alleged, demonstrated false or misleading representations. In the press release, FTC Acting Chairman Maureen K. Ohlhausen said, “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Under the terms of the decision and order, the company has agreed to establish, implement, and maintain a written “comprehensive privacy program,” reasonably designed to: (i) “address privacy risks related to the development and management of new and existing products and services for consumers,” and (ii) “protect the privacy and confidentiality of Personal Information.” The company is also required to obtain biennial independent third-party assessments to address privacy controls requirements and “certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Personal Information and that the controls have operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 15, at which point the FTC will decide whether to make the proposed consent order final.
On August 7, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert entitled “Observations from Cybersecurity Examinations,” which provides findings and observations concerning industry practices and legal and compliance issues related to cybersecurity preparedness. The SEC examined 75 SEC registered firms as part of its Cybersecurity 2 Initiative and noted an improvement overall in terms of (i) creating and implementing cybersecurity policies and procedures and response plans; (ii) conducting periodic risk assessments to identify threats and vulnerabilities; (iii) implementing measures to ensure regular system maintenance checks; (iv) maintaining processes for identifying cybersecurity roles and responsibilities; (v) receiving authority from customers and shareholders concerning fund transfer authority; and (vi) conducting vendor risk assessments or requiring risk management from vendors. However, the SEC identified areas in need of improvement, such as failure to tailor or enforce policies and procedures or conduct adequate system maintenance to safeguard customer information. Also included in the alert are examples of best practices and guidance for firms to follow when implementing cybersecurity-related policies and procedures.
Separately, that same day the International Monetary Fund (IMF) released a working paper discussing cyber risk awareness and the policy measures, regulatory frameworks, and supervisory measures affecting financial institutions’ approaches to systemic cyber risk. The IMF paper, entitled “Cyber Risk, Market Failures, and Financial Stability,” presents an overview of recent cyberattacks on the financial services industry, and stresses that cyber risk management requires that risks identified as part of a threat identification process must be “actively managed” to “ensure that cybersecurity-related measures are appropriate for and commensurate with the underlying risk.” Risk avoidance, risk reduction, and risk transfer are options for effective management. The paper further notes that, as a result of a predominance of cyber risk assessment centering on individual institutions (which constructs a relatively narrow view), insufficient attention has been given to systemic cyber risk that occurs commonly when financial institutions are exposed to “access vulnerabilities, risk concentration, risk correlations, or contagion effects (including through reputational channels).” The paper states that a need exists for regulatory reform and effective policy change “to build resilience through investment in cyber security while giving institutions flexibility to address the risks in the way they see as optimal.” Suggestions for measures—including national and international coordination—to strengthen resilience to cyber risk are also provided.
On July 31, the FTC announced it has approved TRUSTe’s proposed modifications to its Children’s Online Privacy Protection Rule's (COPPA) safe harbor program. As previously covered in InfoBytes, COPPA regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. The safe harbor program allows the FTC to review and approve “self-regulatory guidelines” submitted by industry groups that implement “the same or greater protections for children” as those contained in the COPPA Rule, and subjects approved groups to safe harbor review and disciplinary procedures instead of formal enforcement action. Among the approved modifications is a change which requires all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services.
On July 26, the FDIC issued Financial Institution Letter FIL-31-2017 to announce updates to its Risk Management Manual of Examination Policies. The revisions, which incorporated guidance from the FDIC’s Board of Directors, updated the Report of Examination Instructions regarding matters requiring board attention and “deviations from the safety and soundness principles underlying statements of policy.” The revision also included updated instructions for examiners to use when complying with examination schedules. The letter applies to all FDIC-supervised financial institutions.
On July 7, the Office of the Comptroller of the Currency (OCC) announced the release of its Semiannual Risk Perspective for Spring 2017 indicating key risk areas for national banks and federal savings associations. Acting Comptroller of the Currency Keith Noreika pointed out in his remarks that, “[w]hile these are risks that the system faces as a whole, we note that the risks differ from bank to bank based on size, region, and business model. Compliance, governance, and operational risk issues remain leading risk issues for large banks while strategic, credit, and compliance risks remain the leading issues for midsize and community banks.”
The report details the four top risk areas:
- Elevated strategic risk—banks are expanding into new products and services as a result of fintech competition. According to the report, this competition is increasing potential risks. The OCC hopes to finish developing a special purpose banking charter for fintech companies soon.
- Increased compliance risk—banks must comply with anti-money laundering rules and the Bank Secrecy Act in addition to addressing increased cybersecurity challenges and new consumer protection laws.
- Upswing in credit risk—underwriting standards for commercial and retail loans have been relaxed as banks exhibit greater enthusiasm for risk and attempt to maintain loan market share as competition increases.
- Rise in operational risk—banks face increasingly complex cyber threats while relying on third-party service providers, which may be targets for hackers.
The report used data for the 12 months ending December 31, 2016.
On July 25, the OCC will host an operational risk workshop in Charleston, WV for directors of national community banks and federal savings associations supervised by the OCC. The workshop will focus on the key components of operational risk, governance, third-party risk, vendor management, and cybersecurity.
Additionally, on July 24 through the 26, the OCC’s Office of Innovation will hold “Office Hours” in New York City for national banks, federal savings associations, and fintech companies to provide an opportunity for attendees to discuss matters related to financial technology, new products and services, bank or fintech partnerships, as well as other items related to financial innovation. Meeting requests are due by July 5 and may be submitted here.
OCC Supplement Answers Frequently Asked Questions Covering Third-Party Relationships: Risk Management Guidance
On June 7, the OCC released Bulletin 2017-21, which provides answers to frequently asked questions from national banks and federal saving associations concerning third-party procedure guidance. The Bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” released October 30, 2013, highlights the OCC’s responses to the following topics:
- defines third-party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers;
- provides insight on how to adjust risk management practices specific to each relationship;
- discusses ways to structure third-party risk management processes;
- discusses advantages and disadvantages to collaboration between multiple banks when managing third-party relationships;
- outlines bank-specific requirements when using collaborative arrangements;
- provides information-sharing forums that offer resources to help banks monitor cyber threats;
- discusses how to determine whether a fintech relationships is a “critical activity” and covers risks associated with engaging a start-up fintech company;
- addresses ways in which banks and fintech companies can partner together to serve underbanked populations;
- covers criteria to consider when entering into a marketplace lending arrangement with a nonbank entity;
- clarifies whether OCC Bulletin 2013-29 applies when a bank engages a third-party to provide mobile payments options to consumers;
- outlines the OCC’s compliance management requirements;
- discusses banks’ rights to access interagency technology service provider reports; and
- answers whether a bank can rely on the accuracy of a third-party’s risk management report.
As previously covered in InfoBytes, the OCC released a supplement (Bulletin 2017-7) to Bulletin 2013-29 in January of this year identifying steps prudential bank examiners should take when assessing banks’ third-party relationship risks.
On May 31, the Federal Financial Institutions Examination Council (FFIEC) announced the release of an update to the Cybersecurity Assessment Tool (CAT) developed to aid institutions in determining their risk profiles, identifying risks, and determining cybersecurity preparedness. The update details changes made to the FFIEC IT Examination Handbook and provides a revised mapping in Appendix A to the updated Information Security and Management booklets. The press release notes that “[m]anagement of financial institutions and management of third-party service providers are primarily responsible for assessing and mitigating their entities’ cybersecurity risk. Outlined in Appendix A, the CAT is a framework designed to provide a “repeatable and measurable process” to measure cybersecurity in areas such as cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. The CAT also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.” Financial institutions access addition cybersecurity risk management information here.
As previously discussed in InfoBytes, the CFPB released its Spring 2017 Supervisory Highlights, which outlined its supervisory and oversight actions in areas such as mortgage servicing and student loan servicing. The Supervisory Highlights also announced the CFPB’s plans to develop and implement a program to directly monitor key service providers to institutions it supervises to “potentially reduce risks to consumers at their source.” Section 1002(26)(A) of Dodd-Frank defines a “service provider” as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that: (i) participates in designing, operating, or maintaining the consumer financial product or service; or (ii) processes transactions relating to the consumer financial product or service….” Sections 1024(e) and 1025(d) of Dodd-Frank authorize the CFPB to supervise service providers to banks or non-banks that are already supervised by the CFPB such as depository institutions having more than $10 billion in assets as well as the following: mortgage originators, brokers or servicers; payday lenders; private student lenders; and other providers of consumer financial products or services in areas such as auto finance, debt collection, student loan servicing, consumer reporting, and international money transfers.
The Bureau stated that its initial work involves conducting baseline reviews of some service providers to learn about their structure, operations, compliance systems, and compliance management systems. “In more targeted work, the CFPB is focusing on service providers that directly affect the mortgage origination and servicing markets,” the Bureau noted. The CFPB plans to shape future service provider supervisory activities based on what it learns through its findings.
- Hank Asbill to discuss "Critique of direct examination; Questions and answers" at the American Bar Association Section of Litigation Anatomy of a Trial: Murder Trial of Ziang Sung Wan
- Hank Asbill to discuss "What judges want from trial lawyers" at the American Bar Association Section of Litigation Anatomy of a Trial: Murder Trial of Ziang Sung Wan
- Benjamin W. Hutten to discuss "Understanding OFAC sanctions" at a NAFCU webinar
- Warren W. Traiger to discuss "Key takeaways from proposed CRA modernization" at the New York Bankers Association Technology, Compliance & Risk Management Forum
- Garylene D. Javier to discuss "Navigating workplace culture in 2020" at the DC Bar Conference